1. Who We Are (Responsible Party)
VarsityOS is operated by Mirembe Muse Pty Ltd, a company registered in South Africa. We are the "responsible party" as defined in the Protection of Personal Information Act 4 of 2013 ("POPIA").
Contact our Information Officer: privacy@varsityos.co.za
We are required by POPIA to process your personal information lawfully, responsibly, and transparently.
2. What Personal Information We Collect
We collect only the minimum personal information necessary to provide our service ("data minimisation" as required by POPIA):
- Identity & contact: Name, email address (required to create an account)
- Academic profile: University, year of study, faculty, modules — used to personalise AI responses
- Financial data: Monthly budget, expense records, NSFAS allowance amounts you enter — stored securely, never shared
- Usage data: App interactions, AI message history, task completions — used to improve your experience
- Device & technical data: IP address (for security and fraud prevention), browser type, crash logs
- Payment data: Payment status from PayFast (we do not store your card details — PayFast is the payment processor)
We do NOT collect: South African ID numbers, bank account numbers, biometric data, or information about minors under 18.
3. Purpose of Processing (Why We Collect Your Data)
Under POPIA, we may only process personal information for a specific, explicitly defined, and lawful purpose. We collect your information for the following purposes:
- Providing and operating the VarsityOS platform (account management, feature access)
- Personalising your AI companion (Nova) using your academic and financial context
- Processing subscription payments via PayFast
- Sending service-related communications (account confirmations, payment receipts)
- Security and fraud prevention (rate limiting, suspicious activity detection)
- Improving our services through aggregate, anonymised analytics
- Complying with our legal obligations under South African law
We will not process your personal information for any purpose incompatible with those listed above without your explicit consent.
4. Lawful Basis for Processing
We process your personal information on the following lawful grounds under POPIA s11:
- Contractual necessity: Processing required to deliver the service you signed up for
- Legitimate interest: Security monitoring, fraud prevention, service improvement (always balanced against your rights)
- Legal obligation: Retaining payment records as required by tax law
- Consent: For any optional features, marketing, or uses beyond the above — we will ask explicitly
5. AI Processing (Nova) — Special Notice
VarsityOS uses Anthropic's Claude AI to power Nova. When you send a message to Nova:
- Your message and relevant personal context (budget, tasks, exams) are sent to Anthropic's API for processing
- Anthropic processes this data under their own privacy policy and data processing agreement
- We have enabled prompt caching — your base knowledge context is cached temporarily on Anthropic's infrastructure
- We do not use your conversations to train AI models
- Nova conversations are stored in our database and can be deleted on request
By using Nova, you consent to this processing. You can opt out by not using Nova features.
6. Data Sharing — Who Sees Your Data
We do not sell your personal information. We share data only with:
- Supabase (Supabase Inc.): Database and authentication infrastructure — data stored in the EU (Ireland) region
- Anthropic, PBC: AI processing for Nova responses — see Section 5
- PayFast (DPO PayGate (Pty) Ltd): Payment processing — they are a registered payment service provider in South Africa
- Vercel Inc.: Application hosting and analytics — anonymised page view data only
- Law enforcement: Only when required by a valid legal order under South African law
All third-party processors are bound by data processing agreements ensuring POPIA-equivalent protections.
7. Cross-Border Data Transfers
Some of our service providers (Supabase, Anthropic, Vercel) process data outside South Africa. Under POPIA s72, we may transfer personal information to foreign countries only where:
- The recipient country has adequate data protection laws; or
- We have a binding data processing agreement in place with adequate protections; or
- You have consented to the transfer
All our service providers maintain appropriate technical and organisational security measures.
8. Your Rights Under POPIA
You have the following rights regarding your personal information (POPIA ss23–25):
- Right of access: Request a copy of the personal information we hold about you
- Right to correction: Request correction of inaccurate or incomplete information
- Right to deletion: Request deletion of your personal information (subject to legal retention obligations)
- Right to object: Object to processing based on legitimate interest at any time
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing
- Right to complain: Lodge a complaint with the Information Regulator of South Africa
To exercise any right, email: privacy@varsityos.co.za. We will respond within 30 days as required by POPIA.
9. Data Retention
We retain personal information only as long as necessary for the purpose it was collected (POPIA s14):
- Account data: For the duration of your account + 12 months after deletion request
- Financial/payment records: 5 years (required by South African tax law — Income Tax Act)
- AI conversation history: For the duration of your account or until you request deletion
- Security logs: 90 days
10. Security Measures
We implement appropriate technical and organisational measures to protect your personal information (POPIA s19), including:
- Row-Level Security (RLS) — you can only access your own data in our database
- Encryption in transit (HTTPS/TLS) and at rest (AES-256)
- Rate limiting on all API endpoints to prevent abuse
- API keys never exposed to browsers or client-side code
- Secure, httpOnly session cookies
- IP whitelisting on payment webhooks
11. Cookies
We use only essential cookies (authentication session management). We do not use tracking cookies, advertising cookies, or third-party analytics cookies that identify you personally. Session cookies are deleted when you log out.
12. Children's Privacy
VarsityOS is intended for university students aged 18 and older. We do not knowingly collect personal information from persons under 18. If you believe a minor has created an account, contact us immediately and we will delete the account.
13. Breach Notification
In the event of a data breach that poses a risk of harm, we will notify the Information Regulator and affected data subjects within the timeframes prescribed by POPIA and as directed by the Regulator.
14. Changes to This Policy
We may update this policy. Material changes will be communicated via email or prominent in-app notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.